IPsec log level

I am trying to limit the log level of IPsec as it floods syslog with DPD messages.

I found that the log level should be set here:

/etc/strongswan.d/charon-logging.conf

    # Section to define syslog loggers, see LOGGER CONFIGURATION in
    # strongswan.conf(5).
    syslog {

        # Identifier for use with openlog(3).
        # identifier =

        # <facility> is one of the supported syslog facilities, see LOGGER
        # CONFIGURATION in strongswan.conf(5).
        # <facility> {

            # Loglevel for a specific subsystem.
            # <subsystem> = <default>

            # Default loglevel.
            default = -1

            # Prefix each log entry with the connection name and a unique
            # numerical identifier for each IKE_SA.
            # ike_name = no

            # Add the log level of each message after the subsystem (e.g.
            # [IKE2]).
            # log_level = no

        # }

    }

But it does not matter if I set the default=0 or default=-1, the log level does not change.

What am I missing? I am using the old ipsec method (/etc/ipsec.conf), not swanctl.

The solution:

You need to add this part to the /etc/ipsec.conf

 config setup
         charondebug=dmn 0, mgr 0, ike -1, chd 0, job 0, cfg 0, knl 0, net 0, asn 0, enc 0, lib 0, esp 0, tls 0, tnc 0, imc 0, imv 0, pts 0

Log levels for each subsystem can be set between -1 and 4. More details: Logging

Although it is a bit weird that by default the DPD log is a bit more verbose than it should be.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.